5

I want to learn reverse engineering so I was starting to try compiling simple (to start with) C programs and then reading the disassembly.

The following file

int main(void) {
  return 0;
}

compiled with gcc then disassembled with objdump -d ends up creating 172 lines of output. I don't understand why there is so much output.

What is the meaning of the different sections:

0000000000400370 <_init>:
0000000000400390 <__libc_start_main@plt-0x10>:
00000000004003a0 <__libc_start_main@plt>:
00000000004003b0 <__gmon_start__@plt>:
00000000004003c0 <_start>:
00000000004003f0 <deregister_tm_clones>:
0000000000400420 <register_tm_clones>:
0000000000400460 <__do_global_dtors_aux>:
0000000000400480 <frame_dummy>:
00000000004004ad <main>:
00000000004004c0 <__libc_csu_init>:
0000000000400530 <__libc_csu_fini>:
0000000000400534 <_fini>:

Of course I have been reading about the calling convention and opcodes so I can see how the section corresponds to the C code.

emberfang
  • 53
  • 3

2 Answers2

6

I see you're mixing up sections with functions.

What you have provided in your question are functions necessary to an ELF binary to execute. For example, the _start function is usually the entry point of a binary and it will probably call the main function at some point. You can get the address of the entry of a binary using readelf -h on the binary file you have.

About the output, though your program is "empty" it was still compiled & linked successfully - for that it is not erroneous - into an executable ELF. This document provides everything you need to know about how an ELF binary is structured & how to manipulate it : ELF Format (PDF).

Now if you want to retrieve section information in a binary file the readelf function can again help with that, you just have to call it with the -S and the target binary file (readelf -S prog).

Since you're just starting to learn, I recommend you checking the binutils (readelf, objdump, ...) and their related documentation and start playing with simple programs before moving to crackmes and more advanced or obfuscated binary files.

perror
  • 19,083
  • 29
  • 87
  • 150
yaspr
  • 2,663
  • 14
  • 20
3

Those are not sections, those are different functions in your binary. These are called in various times during process' lifetime.

What you are interested in is function main. objdump -d disassembles the whole binary, but if you are trying to understand what's going on in main only, at this point , you don't have to look at the rest of those.

When you use gcc to compile a binary into an executable, linker is called. If you don't want the linker to be called, to generate an object file, use gcc -c. Here's the result of objdump -d test.o:

$ objdump -d test.o 

test.o:     file format elf64-x86-64


Disassembly of section .text:

0000000000000000 <main>:
   0:   55                      push   %rbp
   1:   48 89 e5                mov    %rsp,%rbp
   4:   b8 00 00 00 00          mov    $0x0,%eax
   9:   5d                      pop    %rbp
   a:   c3                      retq

Here, since the code isn't linked , you only see your function.

0xea
  • 4,904
  • 1
  • 23
  • 30